IDS and IPS Systems: Key Tools in the Network Security Kit Businesses large and small can all benefit from taking a closer look at their cybersecurity tools. As the risk of network breaches continues to climb, and as the security and compliance needs of industries and organizations evolve, security teams must find tools that can do their job well, and ideally automate those jobs to free team members for other projects. When looking for an easy to implement tool for network security, companies often turn to Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). In this article, we will look at how these systems work, how they are distinct, the ways they can benefit your company, and how you can minimize their downsides to get the most out of them. Need help with all that data management? PlexTrac helps you bring all your security tools and reports together for faster remediation. Two Tools to Combat Network Intrusion The increasing risk of network penetration shows no sign of slowing down. In an age when, more than ever, business activity is occurring online, the glut of sensitive information stored on business networks is a tempting target for threat actors. Companies that offer any sort of online services need to ensure that they are exposing themselves, or their customers, to as few network penetration risks as possible. Intrusion Detection System (IDS) An intrusion detection system is a security tool that does exactly what you think it does: it detects intrusions in the network or device that it monitors. When an IDS is functioning properly, it will scan the data flow of a network. Whenever it detects an anomaly in the data traffic pattern, which matches a known malicious signature, or heuristically matches activity that is thought to be malicious, it will then send the network administrator an alert with the details of the anomaly. The alert function of an IDS can often be set as either active, where threats are reported in real-time, or passive, where threats are logged into a report that is then released to the network administrator on a scheduled basis. The type of IDS you put to use depends largely on what gateway to the network it will be guarding. A network intrusion detection system (NIDS) is placed in your network architecture to monitor all information flowing in and out of the network. Two common implementations of NIDS are in-line and out-of-line. In order to enable the system to review all network activity without slowing its speed or disrupting network traffic, an out-of-line NIDS does not sit directly in-line with the network, but uses a network TAP to review a mirrored version of the network activity. An in-line NIDS sits directly between core networking devices, and inspects traffic real-time. However, if an in-line NIDS fails, it can bring down the network with it. A host-based intrusion detection system (HIDS) tracks data flow and system files on a particular device on the network, and directly tracks the activity of a host device or a system endpoint’s network connection. HIDS typically combine both file system level and network level (e.g. firewall) protection schemes. Intrusion Prevention System (IPS) An intrusion prevention system also works as a network screening tool, but while an intrusion detection system is a monitoring tool, an IPS is a control tool. The IPS makes itself distinct by scanning network activity for threats and then taking independent action depending on the nature of the identified threat. If an IPS detects a suspicious packet traveling through the network, it can decide to deny or drop said packet, block malicious IP addresses, and then also communicate with the firewall so that identified sources of malicious activity are blocked from the network in the future. How IDS and IPS Discover Intrusions Both intrusion detection systems and intrusion prevention systems use a variety of ways to determine what network activity indicates malicious behavior, but they usually include signature-based and statistical anomaly detection. Signature-based detection is dependent on the systems’ growing directory of known and reported malicious activity or indicators. As malicious activity is encountered, each system documents the characteristics related to the activity into a signature, which is then curated into a shared library that can be used by other systems. The system’s ability to detect statistical anomalies depends on the amount of data provided during setup. The system is (ideally) exposed to a large amount of standard and harmless network traffic to establish a network activity baseline. Using that baseline, the system is able to determine what activity falls outside the norm and can either note it or stop its progress through the network, depending on the system type. IDS and IPS Pros and Cons No tool is perfect, especially when it comes to addressing complex problems. While automated and semi-automated tools can become more adept with additional training and resources, nothing can replace the judgment of a discerning human mind. That said, these tools are capable of some pretty amazing things. Pros Intrusion detection systems and intrusion prevention systems are capable of protecting your network from a wide range of risks. They can detect the activity of malware on servers and devices connected to the covered network, but through statistical anomaly detection, they can also detect malicious manual network activity within the network and its connected devices (initiated by bad actors that have access to the network). One of the biggest benefits of both IDS and IPS is automation. Both of these systems can work almost completely independently after setup and initial tuning. System administrators will need to review their findings regularly, in order to patch any vulnerabilities indicated by the findings, but the detection and prevention are handled by the systems on their own. Cons While these systems have some decided benefits, they do come with some drawbacks that will need to be considered when selecting your network security tools, and when implementing them in your organization. First, IDS and IPS both produce a massive amount of data to review. Even when using these systems in a small organization, network activity can raise a large number of red flags. When reviewing the reports, it can be difficult for a security team to parse the findings and determine if any action needs to be taken. Taking all of the findings under review can take up a lot of personnel’s time and energy, and your organization might not have the money or the labor to handle these findings effectively. Fortunately, users can create selective filters for the systems to only report qualified detected threats in the log, which takes a bit of time at the outset but can save security teams a lot more time down the road. False positives are another potential problem. Neither IDS or IPS systems are infallible, and they will sometimes flag network activity as suspicious when there is no malicious activity. This is especially likely when the systems are using statistical anomaly detection; often, the systems did not get full exposure to the range of standard network activity during setup and will then flag normal activity as suspicious. This is especially a problem with IPS, which will interfere and perhaps drop suspicious network packets that might actually be legitimate. Again, as with glut of data findings, creating selective filters and adding data to refine the statistical anomaly settings can handle most false positives. Finally, since an IPS is in the direct path of network activity (as opposed to an IDS, which only scans a copy of the activity), it can slow down network speed when it scans large amounts of activity. Whether that is a problem for your organization depends on standard network activity, needed network speed for regular operations, and other factors. Despite these drawbacks, IDS and IPS can offer your organization solid network security benefits through a level of ongoing and automated network scanning. IDS/IPS and Pentesting In addition to the IDS, IPS, and other safeguards that your organization may have in place, regular pentesting is a must for testing and finding vulnerabilities in your network’s defenses. Whether you perform pentesting internally or rely on an outside firm, it is important to understand how IDS and IPS can affect external penetration testing and adjust accordingly. For example, IDS and IPS will be triggered by bad actors scanning large numbers of network ports in a row from the same IP address. While these attackers can attempt to avoid detection by performing slow and targeted vulnerability scans for specific ports or services, hide their source address via a proxy, attacking with botnet clients, and other more time-consuming approaches, pentesters don’t have the luxury of using these methods to work around IDS/IPS. When pentesters are hindered by IDS/IPS, it can lead to them missing crucial weaknesses. In order to help pentesters perform an effective network test, security teams should arrange with the pentesting team to whitelist the pentesters’ source IP addresses. This will enable the pentesters to simulate malicious attacks against your organization’s network quickly and effectively, and by doing so, create a comprehensive report of all the found weaknesses. How IDS and IPS Can Work for You Intrusion Detection Systems and Intrusion Prevention Systems have evolved considerably since they were first in use. The most recent systems can integrate with firewalls to efficiently review all network activity with as little slowdown as possible. And as security needs change, IDS and IPS vendors will refine the systems to meet modern challenges. IDS and IPS, as largely automated systems, can save your security team time by taking care of network monitoring. They can also help your organization meet industry-specific information security standards, and document vital data for compliance investigations. And, if configured correctly, these systems can help enforce internal security policies. If these sound like attractive benefits, it may be time for your organization to give these systems a try. Book your demo of the PlexTrac platform today to learn how we can help you deal with your data and become more efficient and effective.
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE